Windows Server 2025 brings a refreshed PowerShell experience. The legacy 2.0 engine is gone, WinGet ships preinstalled on Desktop Experience editions, Windows Terminal is in the box, and new cmdlets cover GPU partitioning and SMB over QUIC across all editions. This cheat sheet collects the commands we reach for daily, organized by category, with attention to what is genuinely new in 2025.
PowerShell on Windows Server 2025: What Changed
Windows PowerShell 5.1 remains the default shell on Windows Server 2025 and ships preinstalled. The big news is the removal of the legacy Windows PowerShell 2.0 engine. As of the September 2025 rollout, scripts that explicitly request -Version 2 fall back to the default runtime, usually 5.1. Any installer or scheduled task that depended on the 2.0 engine needs an update.
PowerShell 7.x ships separately, and Server 2025 makes installation easier than ever. WinGet now ships with the Desktop Experience SKU out of the box, so we can install the latest PowerShell with a single command. Server Core does not include WinGet; on those systems we use the MSI or ZIP package.
$PSVersionTable
winget install --id Microsoft.PowerShell --source winget
The first command prints the engine version and edition. The second installs PowerShell 7 side by side with 5.1; the executable becomes pwsh.exe. If we want a clean Windows Server 2025 sandbox without touching production, a Windows VPS gives us a fresh environment in minutes.
System Information
Quick fact-finding on a freshly provisioned 2025 server:
Get-ComputerInfo | Select-Object WindowsProductName, OsVersion, CsName
Get-CimInstance Win32_OperatingSystem |
Select-Object Caption, BuildNumber, LastBootUpTime
Rename-Computer -NewName "FS-01" -Restart
Get-ComputerInfo gives a comprehensive snapshot, though it is slow. Get-CimInstance is the modern replacement for legacy WMI calls. Rename-Computer reboots the host immediately when we add -Restart.
Files, Folders, and Content
Get-ChildItem -Path C:\Logs -Recurse -Filter *.log
New-Item -Path C:\Backups -ItemType Directory
Copy-Item C:\Reports\report.pdf D:\Archive\ -Force
Remove-Item C:\Logs\*.bak -Confirm:$false
Get-Content C:\Logs\app.log -Tail 50 -Wait
Test-Path C:\Reports\Q4
The -Tail 50 -Wait combination behaves like Linux tail -f. Test-Path returns a boolean for clean existence checks inside scripts.
Processes and Services
Get-Process | Sort-Object CPU -Descending | Select-Object -First 10
Stop-Process -Name notepad -Force
Get-Service | Where-Object Status -eq "Running"
Restart-Service -Name Spooler -Force
Set-Service -Name BITS -StartupType Automatic
Set-Service -StartupType accepts Automatic, Manual, Disabled, and AutomaticDelayedStart. The Where-Object pattern filters services or processes by any property.
Networking and Firewall
Modern cmdlets have largely replaced the old netsh and ipconfig muscle memory.
Get-NetIPAddress -AddressFamily IPv4
Get-NetAdapter | Where-Object Status -eq "Up"
Test-NetConnection -ComputerName fileserver.local -Port 445
Resolve-DnsName serverspace.io
New-NetFirewallRule -DisplayName "Allow HTTP" -Direction Inbound `
-Protocol TCP -LocalPort 80 -Action Allow
Test-NetConnection combines ping, tracert, and a TCP port check. The backtick is the line continuation character.
Users, Groups, and Active Directory
Local accounts use the LocalAccounts module, which is preinstalled. For domain environments, the ActiveDirectory module ships through RSAT. Server 2025 introduced the Win2025 functional level, which enforces LDAP signing and encryption, disables RC4 in favor of AES, and makes TLS 1.3 the default.
New-LocalUser -Name "svc-backup" -Password (Read-Host -AsSecureString)
Add-LocalGroupMember -Group "Administrators" -Member "svc-backup"
Install-WindowsFeature -Name AD-Domain-Services -IncludeManagementTools
Install-ADDSForest -DomainName "corp.contoso.com" `
-ForestMode Win2025 -DomainMode Win2025
Get-ADUser -Filter * -Properties LastLogonDate
Get-ADDomainController -Filter *
Reading the password as a secure string at the prompt avoids leaving plaintext credentials in script files. The Win2025 forest mode unlocks the new identity defaults; we set it explicitly during forest creation.
Roles, Features, and WinGet
Get-WindowsFeature | Where-Object InstallState -eq "Installed"
|
The winget upgrade --all command is the closest thing Windows Server has to apt upgrade. WinGet on the server is Desktop Experience only; Server Core admins still rely on Install-WindowsFeature.
Hyper-V and GPU Partitioning (New in 2025)
Hyper-V on Server 2025 received some of the most substantial updates in the release. Scalability climbed to 4 PB of host memory, 240 TB per VM, and 2,048 virtual processors per VM. GPU Partitioning (GPU-P) is now fully supported with live migration in clustered scenarios.
Get-VM
New-VM -Name "WEB-01" -MemoryStartupBytes 4GB -Generation 2
Set-VMProcessor -VMName "WEB-01" -Count 4
Add-VMNetworkAdapter -VMName "WEB-01" -SwitchName "vSwitch01"
Start-VM -Name "WEB-01"
GPU partitioning splits a single physical GPU across multiple VMs through SR-IOV, with each partition isolated by hardware. We configure the partition count on the host, then attach a partition to each VM that needs GPU acceleration.
$gpu = Get-VMHostPartitionableGpu
Set-VMHostPartitionableGpu -Name $gpu.Name -PartitionCount 4
Add-VMGpuPartitionAdapter -VMName "AI-WORKER-01"
Get-VMGpuPartitionAdapter -VMName "AI-WORKER-01" |
Format-List InstancePath, PartitionId
The host needs SR-IOV enabled in firmware, vendor vGPU drivers (NVIDIA vGPU 18.x or later for live migration), and the Hyper-V role active. Live migration of GPU-attached VMs requires Server 2025 Datacenter in a failover cluster.
SMB Shares and SMB over QUIC (New in 2025)
SMB over QUIC was previously locked to the Azure Edition. Server 2025 makes it available on every edition, including Standard. QUIC creates a TLS 1.3 encrypted tunnel over UDP port 443, so SMB traffic does not need TCP/445 exposed to the internet.
Install-WindowsFeature -Name FS-FileServer -IncludeManagementTools
New-SmbShare -Name "Projects" -Path "D:\Data\Projects" `
-FullAccess "Domain\Admins"
$cert = Get-ChildItem Cert:\LocalMachine\My |
Where-Object Subject -Match "fileserver.contoso.com"
New-SmbServerCertificateMapping -Name "fileserver.contoso.com" `
-Thumbprint $cert.Thumbprint -StoreName My
Set-SmbServerConfiguration -EnableSMBQUIC $true
Grant-SmbClientAccessToServer -Name "fileserver" `
-IdentifierType SHA256 -Identifier $clientHash
Enabling QUIC requires a TLS server certificate stored in Cert:\LocalMachine\My. Client Access Control via Grant-SmbClientAccessToServer is genuinely new in 2025 and gives us per-client allowlists based on certificate identity.
Remoting and Scheduled Tasks
Enable-PSRemoting -Force
Enter-PSSession -ComputerName SRV-DC01
Invoke-Command -ComputerName SRV-DC01 -ScriptBlock { Get-Service DNS }
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" `
-Argument "-File C:\Scripts\Backup.ps1"
$trigger = New-ScheduledTaskTrigger -Daily -At 2am
Register-ScheduledTask -TaskName "DailyBackup" `
-Action $action -Trigger $trigger -RunLevel Highest
Enable-PSRemoting configures WinRM and opens the firewall. Invoke-Command is faster for one-off remote queries; New-PSSession is the right choice for multiple commands against the same target. The -RunLevel Highest flag runs the scheduled task with elevated privileges.
Quick Reference Table
| Category | Task | Command |
|---|---|---|
| Help | Find a cmdlet | Get-Command *user* |
| System | OS build and version | Get-ComputerInfo |
| Files | List recursively | Get-ChildItem -Recurse |
| Process | Top CPU consumers | Get-Process | Sort CPU -desc |
| Service | Restart a service | Restart-Service Spooler |
| Network | Test a port | Test-NetConnection -Port 445 |
| Firewall | Allow inbound port | New-NetFirewallRule ... |
| Users | Add local admin | Add-LocalGroupMember ... |
| AD | Install forest (Win2025) | Install-ADDSForest -ForestMode Win2025 |
| Roles | Add IIS | Install-WindowsFeature Web-Server |
| Hyper-V | Create VM | New-VM -Name ... |
| GPU-P (2025) | Attach partition | Add-VMGpuPartitionAdapter |
| SMB QUIC (2025) | Enable QUIC | Set-SmbServerConfiguration -EnableSMBQUIC $true |
| Remoting | Run remote command | Invoke-Command -ComputerName ... |
Common Pitfalls
Execution policy blocks scripts. Server defaults to RemoteSigned, which rejects locally written code unless we adjust scope with Set-ExecutionPolicy RemoteSigned -Scope LocalMachine. Aliases like ls, cp, and rm are fine at the prompt; in committed code we use full cmdlet names. AD cmdlets do not exist until we run Install-WindowsFeature RSAT-AD-PowerShell.
Conclusion
This cheat sheet covers the daily-driver cmdlets plus the meaningful 2025 additions: GPU partitioning, SMB over QUIC across all editions, the Win2025 functional level, and WinGet on the server. Bookmark this page, install PowerShell 7 alongside the default 5.1, and audit any old scripts that still reference the removed 2.0 engine.
